Modified: releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog (257328 => 257329)
--- releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog 2020-02-25 16:01:12 UTC (rev 257328)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog 2020-02-25 16:01:17 UTC (rev 257329)
@@ -1,3 +1,16 @@
+2020-02-12 Sunny He <sunny...@apple.com>
+
+ Fix crash due to uninitialized currentStyle in CSSTransition
+ https://bugs.webkit.org/show_bug.cgi?id=205959
+ <rdar://57073673>
+
+ Reviewed by Antoine Quint.
+
+ Fix crash due to uninitialized currentStyle in CSSTransition
+
+ * legacy-animation-engine/transitions/svg-bad-scale-crash-expected.txt: Added.
+ * legacy-animation-engine/transitions/svg-bad-scale-crash.html: Added.
+
2020-02-11 Sihui Liu <sihui_...@apple.com>
IndexedDB: iteration of cursors skip records if deleted
Added: releases/WebKitGTK/webkit-2.28/LayoutTests/legacy-animation-engine/transitions/svg-bad-scale-crash-expected.txt (0 => 257329)
--- releases/WebKitGTK/webkit-2.28/LayoutTests/legacy-animation-engine/transitions/svg-bad-scale-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/legacy-animation-engine/transitions/svg-bad-scale-crash-expected.txt 2020-02-25 16:01:17 UTC (rev 257329)
@@ -0,0 +1,4 @@
+
+Confirm that SVG elements with bad scale don't crash when nearby elements go through transitions.
+
+PASS
Added: releases/WebKitGTK/webkit-2.28/LayoutTests/legacy-animation-engine/transitions/svg-bad-scale-crash.html (0 => 257329)
--- releases/WebKitGTK/webkit-2.28/LayoutTests/legacy-animation-engine/transitions/svg-bad-scale-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/legacy-animation-engine/transitions/svg-bad-scale-crash.html 2020-02-25 16:01:17 UTC (rev 257329)
@@ -0,0 +1,21 @@
+<html>
+<style>
+ a { -webkit-perspective-origin-y: 0mm; -webkit-transition: 5s; }
+</style>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ function setBadScale() {
+ try { svgvar.currentScale = undefined } catch(err) {};
+ }
+
+</script>
+<body>
+ <svg _onload_="setBadScale()"></svg>
+ <a></a>
+ <svg id="svgvar"></svg>
+ <p>Confirm that SVG elements with bad scale don't crash when nearby elements go through transitions.</p>
+ PASS
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog (257328 => 257329)
--- releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog 2020-02-25 16:01:12 UTC (rev 257328)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog 2020-02-25 16:01:17 UTC (rev 257329)
@@ -1,3 +1,18 @@
+2020-02-12 Sunny He <sunny...@apple.com>
+
+ Fix crash due to uninitialized currentStyle in CSSTransition
+ https://bugs.webkit.org/show_bug.cgi?id=205959
+ <rdar://57073673>
+
+ Reviewed by Antoine Quint.
+
+ Test: legacy-animation-engine/transitions/svg-bad-scale-crash.html
+
+ * animation/CSSTransition.cpp:
+ (WebCore::CSSTransition::create):
+ (WebCore::CSSTransition::CSSTransition):
+ * animation/CSSTransition.h:
+
2020-02-11 Yusuke Suzuki <ysuz...@apple.com>
Compress ImmutableStyleProperties by using PackedPtr
Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/animation/CSSTransition.cpp (257328 => 257329)
--- releases/WebKitGTK/webkit-2.28/Source/WebCore/animation/CSSTransition.cpp 2020-02-25 16:01:12 UTC (rev 257328)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/animation/CSSTransition.cpp 2020-02-25 16:01:17 UTC (rev 257329)
@@ -38,7 +38,8 @@
Ref<CSSTransition> CSSTransition::create(Element& owningElement, CSSPropertyID property, MonotonicTime generationTime, const Animation& backingAnimation, const RenderStyle* oldStyle, const RenderStyle& newStyle, Seconds delay, Seconds duration, const RenderStyle& reversingAdjustedStartStyle, double reversingShorteningFactor)
{
- auto result = adoptRef(*new CSSTransition(owningElement, property, generationTime, backingAnimation, newStyle, reversingAdjustedStartStyle, reversingShorteningFactor));
+ ASSERT(oldStyle);
+ auto result = adoptRef(*new CSSTransition(owningElement, property, generationTime, backingAnimation, *oldStyle, newStyle, reversingAdjustedStartStyle, reversingShorteningFactor));
result->initialize(oldStyle, newStyle);
result->setTimingProperties(delay, duration);
@@ -47,11 +48,12 @@
return result;
}
-CSSTransition::CSSTransition(Element& element, CSSPropertyID property, MonotonicTime generationTime, const Animation& backingAnimation, const RenderStyle& targetStyle, const RenderStyle& reversingAdjustedStartStyle, double reversingShorteningFactor)
+CSSTransition::CSSTransition(Element& element, CSSPropertyID property, MonotonicTime generationTime, const Animation& backingAnimation, const RenderStyle& oldStyle, const RenderStyle& targetStyle, const RenderStyle& reversingAdjustedStartStyle, double reversingShorteningFactor)
: DeclarativeAnimation(element, backingAnimation)
, m_property(property)
, m_generationTime(generationTime)
, m_targetStyle(RenderStyle::clonePtr(targetStyle))
+ , m_currentStyle(RenderStyle::clonePtr(oldStyle))
, m_reversingAdjustedStartStyle(RenderStyle::clonePtr(reversingAdjustedStartStyle))
, m_reversingShorteningFactor(reversingShorteningFactor)
{
Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/animation/CSSTransition.h (257328 => 257329)
--- releases/WebKitGTK/webkit-2.28/Source/WebCore/animation/CSSTransition.h 2020-02-25 16:01:12 UTC (rev 257328)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/animation/CSSTransition.h 2020-02-25 16:01:17 UTC (rev 257329)
@@ -53,7 +53,7 @@
void resolve(RenderStyle&) final;
private:
- CSSTransition(Element&, CSSPropertyID, MonotonicTime generationTime, const Animation&, const RenderStyle& targetStyle, const RenderStyle& reversingAdjustedStartStyle, double);
+ CSSTransition(Element&, CSSPropertyID, MonotonicTime generationTime, const Animation&, const RenderStyle& oldStyle, const RenderStyle& targetStyle, const RenderStyle& reversingAdjustedStartStyle, double);
void setTimingProperties(Seconds delay, Seconds duration);
CSSPropertyID m_property;
